draft-ietf-lamps-cmp-updates-11.txt   draft-ietf-lamps-cmp-updates-12.txt 
LAMPS Working Group H. Brockhaus LAMPS Working Group H. Brockhaus
Internet-Draft D. von Oheimb Internet-Draft D. von Oheimb
Updates: 4210, 5912, 6712 (if approved) Siemens Updates: 4210, 5912, 6712 (if approved) Siemens
Intended status: Standards Track 30 June 2021 Intended status: Standards Track 9 July 2021
Expires: 1 January 2022 Expires: 10 January 2022
Certificate Management Protocol (CMP) Updates Certificate Management Protocol (CMP) Updates
draft-ietf-lamps-cmp-updates-11 draft-ietf-lamps-cmp-updates-12
Abstract Abstract
This document contains a set of updates to the syntax and transport This document contains a set of updates to the syntax and transport
of Certificate Management Protocol (CMP) version 2. This document of Certificate Management Protocol (CMP) version 2. This document
updates RFC 4210 and RFC 6712. updates RFC 4210 and RFC 6712.
The aspects of CMP updated in this document are using EnvelopedData The aspects of CMP updated in this document are using EnvelopedData
instead of EncryptedValue, clarifying the handling of p10cr messages, instead of EncryptedValue, clarifying the handling of p10cr messages,
improving the crypto agility, as well as adding new general message improving the crypto agility, as well as adding new general message
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 January 2022. This Internet-Draft will expire on 10 January 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 38 skipping to change at page 2, line 38
2.4. New Section 5.1.1.3. - RootCaCert . . . . . . . . . . . . 7 2.4. New Section 5.1.1.3. - RootCaCert . . . . . . . . . . . . 7
2.5. New Section 5.1.1.4. - CertProfile . . . . . . . . . . . 8 2.5. New Section 5.1.1.4. - CertProfile . . . . . . . . . . . 8
2.6. Update Section 5.1.3.1. - Shared Secret Information . . . 8 2.6. Update Section 5.1.3.1. - Shared Secret Information . . . 8
2.7. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 8 2.7. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 8
2.8. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 9 2.8. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 9
2.9. Update Section 5.3.4. - Certification Response . . . . . 11 2.9. Update Section 5.3.4. - Certification Response . . . . . 11
2.10. Update Section 5.3.18. - Certificate Confirmation 2.10. Update Section 5.3.18. - Certificate Confirmation
Content . . . . . . . . . . . . . . . . . . . . . . . . 12 Content . . . . . . . . . . . . . . . . . . . . . . . . 12
2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 12 2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 12
2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key 2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key
Pair Types . . . . . . . . . . . . . . . . . . . . . . . 12 Pair Types . . . . . . . . . . . . . . . . . . . . . . . 13
2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13 2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13
2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 13 2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 13
2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 13 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 14
2.16. New Section 5.3.19.16 - Certificate Request Template . . 14 2.16. New Section 5.3.19.16 - Certificate Request Template . . 14
2.17. Update Section 5.3.22 - Polling Request and Response . . 15 2.17. Update Section 5.3.22 - Polling Request and Response . . 16
2.18. Update Section 7 - Version Negotiation . . . . . . . . . 16 2.18. Update Section 7 - Version Negotiation . . . . . . . . . 16
2.19. Update Section 7.1.1. - Clients Talking to RFC 2510 2.19. Update Section 7.1.1. - Clients Talking to RFC 2510
Servers . . . . . . . . . . . . . . . . . . . . . . . . 17 Servers . . . . . . . . . . . . . . . . . . . . . . . . 17
2.20. Update Section 9 - IANA Considerations . . . . . . . . . 17 2.20. Update Section 9 - IANA Considerations . . . . . . . . . 17
2.21. Update Appendix B - The Use of Revocation Passphrase . . 19 2.21. Update Appendix B - The Use of Revocation Passphrase . . 19
2.22. Update Appendix C - Request Message Behavioral 2.22. Update Appendix C - Request Message Behavioral
Clarifications . . . . . . . . . . . . . . . . . . . . . 19 Clarifications . . . . . . . . . . . . . . . . . . . . . 20
2.23. Update Appendix D.1. - General Rules for Interpretation of 2.23. Update Appendix D.1. - General Rules for Interpretation of
These Profiles . . . . . . . . . . . . . . . . . . . . . 20 These Profiles . . . . . . . . . . . . . . . . . . . . . 20
2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 20 2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 21
2.25. Update Appendix D.4. - Initial Registration/Certification 2.25. Update Appendix D.4. - Initial Registration/Certification
(Basic Authenticated Scheme) . . . . . . . . . . . . . . 21 (Basic Authenticated Scheme) . . . . . . . . . . . . . . 21
3. Updates to RFC 6712 - HTTP Transfer for the Certificate 3. Updates to RFC 6712 - HTTP Transfer for the Certificate
Management Protocol (CMP) . . . . . . . . . . . . . . . . 21 Management Protocol (CMP) . . . . . . . . . . . . . . . . 21
3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 21 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 21
3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 21 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 22
3.3. Update Section 6. - IANA Considerations . . . . . . . . . 22 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 22
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1. Normative References . . . . . . . . . . . . . . . . . . 23 7.1. Normative References . . . . . . . . . . . . . . . . . . 23
7.2. Informative References . . . . . . . . . . . . . . . . . 25 7.2. Informative References . . . . . . . . . . . . . . . . . 25
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 25 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 26
A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 26
A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 38 A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 39
Appendix B. History of changes . . . . . . . . . . . . . . . . . 51 Appendix B. History of changes . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
While using CMP [RFC4210] in industrial and IoT environments and While using CMP [RFC4210] in industrial and IoT environments and
developing the Lightweight CMP Profile developing the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile] some limitations were [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were
identified in the original CMP specification. This document updates identified in the original CMP specification. This document updates
RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these
skipping to change at page 8, line 15 skipping to change at page 8, line 15
2.5. New Section 5.1.1.4. - CertProfile 2.5. New Section 5.1.1.4. - CertProfile
Section 5.1.1 of RFC 4210 [RFC4210] defines the PKIHeader and id-it Section 5.1.1 of RFC 4210 [RFC4210] defines the PKIHeader and id-it
OIDs to be used in the generalInfo field. This section introduces OIDs to be used in the generalInfo field. This section introduces
id-it-certProfile. id-it-certProfile.
Insert this section after Section 5.1.1.3: Insert this section after Section 5.1.1.3:
5.1.1.4. CertProfile 5.1.1.4. CertProfile
This is used by the EE to indicate a specific certificate profile, This is used by the EE to indicate specific certificate profiles,
e.g., when requesting a new certificate or a certificate request e.g., when requesting a new certificate or a certificate request
template, see Section 5.3.19.16. template, see Section 5.3.19.16.
id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
CertProfileValue ::= UTF8String CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String
When used in a ir/cr/kur/genm, the value MUST NOT contain more
elements than the number of CertReqMsg or InfoTypeAndValue elements
and the certificate profile names refer to the elements in the given
order.
When used in a p10cr, the value MUST NOT contain multiple certificate
profile names.
2.6. Update Section 5.1.3.1. - Shared Secret Information 2.6. Update Section 5.1.3.1. - Shared Secret Information
Section 5.1.3.1 of RFC 4210 [RFC4210] describes the MAC based Section 5.1.3.1 of RFC 4210 [RFC4210] describes the MAC based
protection of a PKIMessage using the algorithm id-PasswordBasedMac. protection of a PKIMessage using the algorithm id-PasswordBasedMac.
Replace the first paragraph with the following text: Replace the first paragraph with the following text:
In this case, the sender and recipient share secret information with In this case, the sender and recipient share secret information with
sufficient entropy (established via out-of-band means or from a sufficient entropy (established via out-of-band means or from a
skipping to change at page 37, line 13 skipping to change at page 37, line 35
-- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18}
-- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
-- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC]
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent -- CertReqTemplateValue ::= CertReqTemplateContent
-- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- - id-it-certReqTemplate added in CMP Updates [thisRFC]
-- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20}
-- RootCaCertValue ::= CMPCertificate -- RootCaCertValue ::= CMPCertificate
-- - id-it-rootCaCert added in CMP Updates [thisRFC] -- - id-it-rootCaCert added in CMP Updates [thisRFC]
-- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
-- CertProfileValue ::= UTF8String -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-- - id-it-certProfile added in CMP Updates [thisRFC] -- - id-it-certProfile added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
-- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-- --
skipping to change at page 50, line 4 skipping to change at page 50, line 22
-- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18}
-- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
-- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC]
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent -- CertReqTemplateValue ::= CertReqTemplateContent
-- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- - id-it-certReqTemplate added in CMP Updates [thisRFC]
-- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20}
-- RootCaCertValue ::= CMPCertificate -- RootCaCertValue ::= CMPCertificate
-- - id-it-rootCaCert added in CMP Updates [thisRFC] -- - id-it-rootCaCert added in CMP Updates [thisRFC]
-- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
-- CertProfileValue ::= UTF8String -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-- - id-it-certProfile added in CMP Updates [thisRFC] -- - id-it-certProfile added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
-- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-- --
skipping to change at page 51, line 36 skipping to change at page 52, line 5
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of changes Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 11 -> 12:
* Extended Section 2.5 and the ASN.1 modules in Appendix A to allow
a sequence of certificate profiles in CertProfileValue (see thread
"id-it-CertProfile in draft-ietf-lamps-cmp-updates")
From version 10 -> 11: From version 10 -> 11:
* Add Section 2.10 to add an additional hashAlg field to the * Add Section 2.10 to add an additional hashAlg field to the
CertStatus type to support certificates signed with a signature CertStatus type to support certificates signed with a signature
algorithm not explicitly indicating a hash algorithm in the algorithm not explicitly indicating a hash algorithm in the
AlgorithmIdentifier (see thread "Hash algorithm to us for AlgorithmIdentifier (see thread "Hash algorithm to us for
calculating certHash") calculating certHash")
* Added newly registered OIDs and temporarily registered URI suffix * Added newly registered OIDs and temporarily registered URI suffix
* Exchanged the import of CertificationRequest from RFC 2986 to the * Exchanged the import of CertificationRequest from RFC 2986 to the
definition from RFC 6402 Appendix A.1 (see thread "CMP Update of definition from RFC 6402 Appendix A.1 (see thread "CMP Update of
 End of changes. 16 change blocks. 
18 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/